Today we've got some pretty cool news! We've just released the preview of our new Windows Azure Active Authenticaton service. A few months ago we showed you how to enablemulti-factor authentication for your Azure AD Global Admins. With this preview we're giving you the ability to give all your employees, customers and partners a rich set of smartphone based two factor authentication options.

Starting now, companies can use this preview to enable multi-factor authentication for all their Windows Azure Active Directory identities securing access to Office 365, Windows Azure, Windows Intune, Dynamics CRM Online and many of the other applications that are integrated with Windows Azure AD. Additionally Developers can also use the Active Authentication SDK to build multi-factor authentication into their custom applications and directories.

Getting Started

To start using multi-factor authentication with your Windows Azure Active Directory tenant, you’ll first need to add the Active Authentication service. To do that:

Sign in to the Windows Azure Portal as an Administrator.

On the Active Directory page, at the top, selectActive Auth Providers.

c. Directory– Enter the Windows Azure Active Directory tenant that the Active Authentication Provider is going to be used with e.g. Contoso Demo

Fig 3: Completing the Authentication Provider Quick Create form

Once you click create, the Active Authentication Provider will be created and you should see a message stating: Successfully created Active Authentication Provider.

ClickOk

Now you've got Active Authentication provisioned and ready to use. Time to configure which users will have it enabled.

Turning on multi-factor authentication for specific users

Click on theActive Directorytab on the left

Click theDirectory tab underneath the Active Directory header

Click on your Windows Azure AD tenant.

On theUserspage, click the user you want to enable.

Select theRequire Multi-factor Authenticationcheck box

Fig 4: Activating 2 Factor Authentication for a user

Your admin tasks are all done. Pretty easy eh?

Signing in with Windows Azure Active Authentication Service

Once Active Authentication has been enabled for a user the next time that user signs into a service that uses Windows Azure AD, they will be asked to select and configure one of these multi-factor authentication methods:

Thisauto-enrollmentfeature, makes deploying multi-factor authentication easy and hassle free for ITPros while providing the end user the flexibility to configure the primary method that suits their needs. Users can add or change methods later.

While all four of these authentication methods work great, my favorite is our Active Authentication app (available forWindows Phone,iOSandAndroidsmartphones and tablets). You can download the free app from the device store and activate it. If you are a gadget geek like me, this is the one you’ll want to use!

First, if you are logged into Windows Azure, Office 365, or another service integrated with Windows Azure AD,log-out.

Using your browser,sign in to Windows Azure or Office 365.

You will be prompted to configure your multi-factor options. Click the"Set it up now"button.

Fig 5: Prompt to configure Multi-Factor Auth when signing in the first time.

This will bring up the Additional Security Verificationsettings page. Once that page loads, undermobile app, select the check box and clickConfigure.

Fig 6: Additional Verification Page

That will bring up the App Configuration screen:

Fig 7: Configure App Screen

On the phone that has the Active Authentication app installed, launch the app.

Now click the + sign in the app to add a new account.

Then click the barcode scanner button on the far right in the app. This will launch the camera.

Fig 8: Active Authentication App Configuration Screen

Scan the barcode picturethat came up with the configure phone app screen.

After a few seconds you should see a 6 digit code on the app screen. Once you see thisclick the check mark buttonon the configure phone app screen.

ClickSave.

You are all set!

The next time you sign-in to a cloud application or service protected by Windows Azure AD, the app will activate on your phone and ask you to authenticate or deny the login. You also have the option to report the attempt as being fraudulent.

Of course, the app is my personal favorite but you might like receiving a phone call better and most of the folks on our team prefer the SMS messaging option. The great thing about the service is that yourusers can choosethe method they like best and switch between methods without any additional configuration on your part.

We’ll have a lot more coming in this space in the very near future, so stay tuned. And as always, we would love to hear your feedback. Head over to theWindows Azure Active Authentication forumto let us know what you think.

Yes the scan works and I get the code on my phone. I click done then it just goes to Checking for several minutes and then the failed message

Alex_SimonsMS

11 Jul 2013 12:56 AM

ok - that helps. Let me check with the team to see if we are seeing failures in our service logs.

Jeffry van de Vuurst

11 Jul 2013 12:57 AM

Where can we get the SDK to build this into our custom apps? We are building a cross-platform mobile app for Dynamics CRM, so I'm looking to implement this on Windows Phone, iOS, Android and BlackBerry.

Mohit Saxena - MSFT

11 Jul 2013 12:57 AM

Hi Sean,

Can you send me the details of your errors so that we can investigate? Or if you can email me your contact info (name/phone/email) I can have one of the engineers call you and collect the information for investigation. Please email me at mohitsa@microsoft.com

Thanks

Alex_SimonsMS

11 Jul 2013 12:57 AM

@Jeffry: We'll have a detailed post on the SDK next week. But if you want to get started now here's how:

1.) Log on to the Windows Azure Portal using the Global Admin for your Azure AD tenant.

2.) Select the Active Directory tab on the left

3.) On the Active Directory page, select Active Auth Providers across the top.

4.) In the tray at the bottom of the page, click Manage.

This will take you to the 2FA configuration pages where you can download the SDK.

We have versions for Perl, Ruby, PHP, ASP.NET and Java.

Hope that helps!

Regards,

Alex

Masa Miura

11 Jul 2013 12:57 AM

Can we use this function in Japan without no additional charge? (What I mean is call charge to the mobile phones)

Alex_SimonsMS

11 Jul 2013 12:58 AM

Hi Masa,

Any charges you pay when using you smart phone to receive SMS messages or calls will still apply.

Regards,

Alex

mcodyw

11 Jul 2013 12:58 AM

I couldn't screen to configure the app to come up. It generated an error. I continued without setting it up, and the texting works fine, but how can I go back and try to set the app up again? I also posted on the forum with more details.

social.msdn.microsoft.com/.../bfa677a4-74ec-4600-b211-6320169d336d

Anton Vidishchev

11 Jul 2013 12:58 AM

I experience the same issue as Sean, please contact me for details if needed.

As well, the walkthrough is a bit misleading. It says:

•Scan the barcode picture that came up with the configure phone app screen.

•After a few seconds you should see a 6 digit code on the app screen. Once you see this click the check mark button on the configure phone app screen.

•Click Save.

In reality, after you scan the barcode (Lumia 920), there are no check mark or save buttons. The app just shows six-digit codes, and only available button is "+" to create new account and settings.

Anton Vidishchev

11 Jul 2013 12:58 AM

One more question: will the charges for Active Auth apply to Azure subscription?

Such as, if I have 200$ a month free on MSDN, can I use some of them for Active Auth?

Alex_SimonsMS

11 Jul 2013 12:59 AM

@Sean: Talking with the team, we fixed this issue today. Thank you for your help on this and for verifying it worked for you!

Bhavini Soneji - MSFT

11 Jul 2013 12:59 AM

Hi Anton,

Thanks for your feedback.

Yes, Active Auth charges will apply to your Azure Subscription that was referenced when you created the Active Auth Provider.

Regarding your Phone App Activation issue,

- The save button is to be clicked on the configure phone app screen browser window and not on your phone app.

- Anton are you syncing your users from AD to AAD using Dirsync?

Thanks

Bhavini

mcody

11 Jul 2013 12:59 AM

The dual-factor is great.

What will the charge for Office 365 users be to be able to use Active Auth? Is it the same as those that have the Azure subscription?